Market Watch: Identity as a Service

Identity as a service (IDaaS) was developed to deal with a new need that's arisen with the popularity of cloud computing: identity management for the exploding number of Software as a Service (SaaS) applications available on an almost instant basis. At the end of 2011, Gartner estimated that global SaaS revenue hit $12 billion, a 21 percent increase over 2010, and that SaaS will account for 15 percent of enterprise application purchases by 2015. And right along with this growth is the problem of how to manage user identities for all of these applications.

Adding the on-premises capability of securely managing cloud identities for SaaS applications requires some work. You need to set up an Internet single sign-on (SSO) federation solution, and once you've set it up, you have to manage it. One of the larger tasks in running your own federation solution is managing the relationships of the ever-increasing number of SaaS vendors. Many companies simply don't want to be adding these on-premises costs at the same time they're shifting some of their IT capabilities to the cloud.

IDaaS moves this heavy lifting from your premises to the cloud. Instead of running your own cloud identity management system, the IDaaS vendor does all the work. The IDaaS vendor sets up and maintains federated trusts for SaaS vendors that support federation, creates customized connections (such as forms-based authentication) for vendors that don't support it, manages account provisioning and deprovisioning, performs auditing, and provides a variety of other identity-related services. All the customer needs to do is set up an interface with the IDaaS vendor, which, depending on the complexity of the installation, can take as little as a few hours or as long as a month.

The leaders in the IDaaS market include Intel, Okta, OneLogin, PasswordBank Technologies, Ping Identity, and Symplified. Which IDaaS provider you choose depends on your requirements. Some providers, like Okta, focus on the most common scenario of providing SSO to SaaS applications for an enterprise with an on-premises AD system. Others provide a variety of possible configurations. For example, PasswordBank has seven IDaaS-related options and Symplified has a broad feature portfolio.

IDaaS Technology

Security issues associated with SaaS applications have been gaining wider attention over the last six months, which has been fueling business decision makers' interest in IDaaS. They're becoming increasingly aware that the IDaaS technology can solve their SaaS application security problems on a subscription basis. This top-down interest has been driving much of the adoption of IDaaS, despite IT's misgivings.

Before IT pros and their managers can accept how IDaaS solves some of the challenges associated with cloud identity, they must know what the challenges are. And before IT pros can understand the challenges, they must understand basic cloud identity technology.

IDaaS solutions contain two key components: the identity store and the identity portal. (For information about some of the other components, see "Outsourcing Your Identity with IDaaS." Each IDaaS solution has an identity store, which can be configured in a number of ways. Typically, this store contains a synchronized set of identities from an Active Directory (AD) security group or organizational unit (OU) that are authorized to use the IDaaS service. These identities are then provisioned out to the cloud applications.

However, the identity store doesn't have to contain only identity data replicated from an enterprise. Using IDaaS as a hosted identity provider, a large company could keep their contractor identities in the cloud identity store, thus allowing access to a variety of applications while keeping the identities out of the corporate AD system.

The core UI component is the identity portal, where users log on once and are then provided access to the cloud services for which they've been authorized. This identity portal can be in the cloud, on an on-premises component, or in a browser add-on. For example, Symplified offers Identity Router, which acts as an identity portal and proxy server. Through policies, it determines the identity store that users authenticate against. (It can be an on-premises identity store, a cloud identity provider such as Google, or Symplified's own identity store.) Identity Router then performs the authentication on behalf of the user, in whatever format required by the identity store. Identity Router can be installed as an on-premises managed hardware appliance or virtual machine (VM), or a VM in the cloud.

IDaaS Benefits

The popularity of IDaaS as a viable alternative to on-premises solutions is understandable, since it has a number of advantages over traditional solutions. The fact that Intel has entered the market is, to me, a validation of its potential growth. One advantage of IDaaS is that auditing SaaS application usage is often simpler than other solutions because all traffic accessing the cloud services goes either though an on-premises agent or directly through the IDaaS service portal. Okta, for example, provides audit information on user activation, user activity, user access, application usage, user provisioning, and user deprovisioning.

With on-premises federation solutions, it takes time to work out and establish trust relationships with the SaaS vendors that users need. With IDaaS, users can immediately get SSO access to thousands of SaaS applications (once they've subscribed to them). And the sooner you can get users to securely access these applications the better because they're likely already accessing these applications in an unsecure manner.

Some IDaaS providers offer aggregation services to make it easier to view on-premises identity data, which might be in many places, as a single instance to cloud applications. Symplified, for example, has a virtual directory service built into its product. Even if you haven't gotten your own internal identity management quite organized yet, a virtual directory service will take identity data from AD, relational databases, and miscellaneous LDAP directories, and create a consolidated view for SaaS applications to consume. (For more information about virtual directory services, see "TheRise of Virtual Directory Servers.")

Some IDaaS providers extend their enterprise integration into unique areas. PasswordBank's Enterprise SSO offering, for example, includes the ability to manage time and employee attendance through integration with clock in/out systems (e.g., punch clocks) or through RFID, smart cards, or biometric devices. Mobile support is quickly becoming a must-have, and most of these vendors offer add-on products that provide cloud SSO to a wide variety of mobile devices and tablets.

Most IDaaS vendors provide support for strong authorization, either through their own interface or through integration with solutions from companies such as CrunchBase, RSA, SafeNet, Symantec, VASCO, and Yubico. This is another advantage of an IDaaS solution-because users can be channeled through a single portal, a software-based strong authentication solution can be located on the portal instead of installed on all the individual clients. For example, Intel's Expressway Cloud Access 360 offers an add-on feature (Nordic Edge One Time Password Server) that provides two-factor authentication for mobile clients by sending the one-time password to the device via SMS, email, chat, or mobile client app.

Getting access to SaaS applications isn't only about authenticating users. You must also efficiently manage the user accounts across hundreds or thousands of these applications. All the IDaaS vendors provide some kind of support for provisioning the user accounts into their service, but because SaaS providers generally charge for their service based on the number of users signed up for it, you don't want to create accounts in the service until they're needed. As a result, manual provisioning-preloading users from a worksheet or .csv file-isn't desirable. A better approach is directory synchronization, where users that are members of a particular AD security group (such as Salesforce Users) are automatically created in the cloud service and removed when a member leaves the group. Cloud account management is thereby done at the AD end of the equation. Just-in-time (JIT) provisioning takes this a step further. Even though the user might exist in the Salesforce Users security group in AD, a user account for a cloud service isn't created until the user attempts to access the service for the first time.

The connection between your enterprise and the IDaaS provider is clearly of great importance; without it, users will be unable to access their SaaS applications. If you use the most common configuration of using a local agent to synchronize identities between your on-premises AD system and the IDaaS provider, the agent usually communicates via LDAP over SSL (LDAPS). If you configure the IDaaS connection to remain active only during the authentication of a user session, once users log on to an SaaS application, they'll communicate directly with the application and an IDaaS outage won't interrupt them. If you configure the connection to remain online for the entire session (for example, to get greater auditing detail), the connection must remain available at all times.

I'm instinctively a little uncomfortable with the snake-eating-its-own-tail feeling of basing one's access to cloud services on a cloud service. As failures have shown in the past, just being in a cloud service doesn't necessarily make it fault tolerant. So, you should look into the high availability architecture of any IDaaS service you're seriously interested in.

IDaaS Moving From Radical to Mainstream

Using IDaaS for identity management is quickly moving from a cutting-edge, radical idea that only small companies would try to a viable, mainstream identity-management option. IDaaS providers are now handling identity management for some very large enterprises. For example, Symplified supports over 3 million licensed users in total and OneLogin just won a contract that involves millions of users. Although small or new companies might opt for an identity-entirely-in-the-cloud configuration, most companies will likely want to use an IDaaS solution as part of a hybrid on-premises/cloud solution. These companies will retain their existing investment in identity management but use a new identity model to accommodate the new cloud computing model.

Sean writes about cloud identity, Microsoft hybrid identity, and whatever else he finds interesting at his blog on Enterprise Identity and on Twitter at @shorinsean.

John Savill's Hyper-V Master Class

Join John Savill for 12 hours of comprehensive Hyper-V training. This master-level online training course will explore all the key aspects of a Hyper-V based virtualization environment covering both current capabilities in Windows Server 2012 R2 and looking at the future with Windows Server vNext.